I reviewed simdutf 7.7.1-1 as checked into resolute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
simdutf is a fast unicode parser, allowing for validating, computing, and
transcoding unicode characters at "billions of characters per second".
- CVE History
- None
- The reports linked in the bug report seem to be oss-fuzz reports
against symdutf which were not assigned CVE identifiers.
- For example: https://github.com/simdutf/simdutf/issues/539
- Issues not assigned CVE numbers are harder to track, and therefore
CVE assignment is a nice to have, especially for issues that are
exploitable. It is unclear whether these issues were not deemed
important enough for a CVE assignment, or whether upstream does not
assign CVE numbers to security issues, or anything in between. It
would be nice to have clarification on this.
- Build-Depends
- Very small amount of builddeps. Looks good.
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- ./usr/bin/fastbase64
- ./usr/bin/sutf
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- Has quite a few unit tests. No issues here.
- No autopkgtest suite.
- cron jobs
- None
- Build logs
- Seem fine.
- Processes spawned
- None
- Memory management
- Many memcpy calls
- Some of them could be error prone, like overlapping buffers, but with
the extensive test suite it seems like these are properly tested to
ensure that there are no errors.
- There are also risky operations like reinterpret_cast but overall these
are expected from an application prioritizing performance.
- File IO
- Has some file opening in python code. Python code seems to be present
primarily for development of simdutf itself, like simplifying adding
functions to C files.
- Logging
- Does not do logging, seems to throw some runtime_error exceptions.
There don't seem to be any issues here.
- Environment variable usage
- An environment variable to use a parsing implementation. If not
specified, seems to detect best implementation based on current system.
There don't seem to be any issues here.
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- None
- Use of temp files
- None
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None
- Any significant Coverity results
- None, a few false positives and mostly detections in tests, as well as
complaining about big stack usage.
- Any significant shellcheck results
- None
- Any significant bandit results
- None
- Any significant govulncheck results
- N/A
- Any significant Semgrep results
- None
Overall, the code looks clean and maintainable. Despite the nature of the
application being focused on performance, maintainers have put in extra
effort to ensure that the code does not cause issues, with proper testing,
fuzz testing, as well as variable naming and comments.
The only concern identified is the fuzz testing results not being assigned
CVE numbers, as it is generally hard to justify heap-buffer overflows not
being CVE worthy. However, after contacting the upstream security contact
about further clarification, it seems like upstream does not assign CVE
identifiers for issues that only affect the main development branch and do
not affect any version releases, which is perfectly fine. Therefore, we do
not think this would be an issue in future security tracking.
Security team ACK for promoting simdutf to main.
** Bug watch added: github.com/simdutf/simdutf/issues #539
https://github.com/simdutf/simdutf/issues/539
** Changed in: simdutf (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: simdutf (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2131217
Title:
[MIR] simdutf
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/simdutf/+bug/2131217/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
